S1088: Disco
Disco is a custom implant that has been used by MoustachedBouncer since at least 2020 including in campaigns using targeted malicious content injection for initial access and command and control.[1]
Analyst context for executives and security teams
Disco matters because it is a Windows custom implant associated in ATT&CK with MoustachedBouncer, a cyberespionage group described as targeting foreign embassies in Belarus. For security leaders, the practical concern is not the malware name alone, but the pattern around it: user-opened malicious files, content injection for access or command and control, scheduled-task persistence/execution, file-transfer-style command and control, and tool ingress. These behaviors can affect executive confidence in endpoint visibility, network inspection, and incident response readiness, especially in diplomatic, government-facing, or other targeted environments.
Executive priority
Prioritize validation of controls and evidence around Windows endpoint execution, scheduled tasks, file transfer traffic, and user-driven malicious file handling. Because ATT&CK provides no official detection text for Disco, leaders should ask whether the organization can prove coverage through collected telemetry and tested detections rather than relying on malware-family signatures. This is most relevant for resilience planning, audit evidence, and IR decision-making in environments where targeted content delivery or manipulated network traffic would be high-impact.
Technical view
For SOC and IR teams, treat Disco as a Windows implant with ATT&CK relationships to T1204.002 Malicious File, T1659 Content Injection, T1053.005 Scheduled Task, T1071.002 File Transfer Protocols, and T1105 Ingress Tool Transfer. Validate whether endpoint telemetry can show suspicious file execution followed by scheduled task creation or modification, and whether network telemetry can distinguish expected file-transfer protocols from unusual command-and-control or tool-transfer patterns. Because no official detection guidance is provided, detection engineering should be behavior-led and tied to these related techniques rather than based only on the Disco name.
Likely telemetry
- Windows process creation and command-line telemetry
- Windows scheduled task creation, modification, and execution events
- Endpoint file creation and execution metadata for user-opened files
- Network flow, proxy, firewall, DNS, and protocol logs related to file-transfer activity
- Evidence of inbound tool or payload transfer after initial execution
Detection direction
- Validate detections for new or unusual scheduled tasks on Windows endpoints, especially when preceded by user-launched files or unexpected process chains.
- Tune network analytics for unusual file-transfer protocol use, external destinations, timing, volume, or hosts that do not normally perform those transfers.
- Correlate suspicious file execution with subsequent ingress tool transfer or command-and-control-like network activity.
- Review visibility for content injection scenarios, recognizing that manipulated traffic may not look like a conventional phishing download or compromised website visit.
- Account for false positives from legitimate administrative scheduled tasks and normal file-transfer business processes by using baselines and asset context.
Mitigation priorities
- Harden Windows execution paths for user-delivered files through attachment handling, least privilege, and endpoint protection policy.
- Restrict and monitor scheduled task creation to expected administrators, tools, and change windows.
- Limit unnecessary file-transfer protocols and require logging, egress control, and inspection where business use is required.
- Improve user-facing controls and response playbooks for suspicious files, while recognizing that ATT&CK also links this malware to content injection rather than only user lures.
- Test incident response procedures for confirming persistence, scoping transferred tools, and preserving endpoint and network evidence.
Analyst notes and limits
The relationship context is the most useful source for defensive planning: Disco is associated with MoustachedBouncer and uses techniques spanning execution, persistence, command and control, ingress transfer, and content injection. A Glexia assessment should map these behaviors to the client’s actual Windows endpoint logging, network monitoring, egress controls, and IR collection capability.
ATT&CK does not provide official detection text, aliases, labels, or malware-level tactics for Disco in the supplied fields. The object states Windows as the malware platform, while some related techniques list broader platforms; local validation is required before assuming relevance outside Windows. This summary does not assert current activity or customer exposure.
Disco
Disco is a custom implant that has been used by MoustachedBouncer since at least 2020 including in campaigns using targeted malicious content injection for initial access and command and control.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | Disco can download files to targeted systems via SMB.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1659 | Content Injection | Disco has achieved initial access and execution through content injection into DNS, HTTP, and SMB replies to targeted hosts that redirect them to download malicious files.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Disco can create a scheduled task to run every minute for persistence.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Disco has been executed through inducing user interaction with malicious .zip and .msi files.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1071.002 | File Transfer Protocols Sub-technique | Disco can use SMB to transfer files.CitationMoustachedBouncer ESET August 2023 |
Groups, software, and campaigns
G1019: MoustachedBouncer
MoustachedBouncer is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 732401e4e4c1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
MoustachedBouncer ESET August 2023
Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
Open source URL -
[2]
mitre-attack S1088Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.